How Telegram Shares Your Data with Rostelecom

By Ava McKinneyOnline Safety

How Telegram Shares Your Data with Rostelecom

Hello, Habr. One day, we were minding our own (very productive) business when we SUDDENLY discovered that, for some unknown reason, the infrastructure of Telegram includes at least the wonderful Rostelecom and the equally lovely NTC “FIORD” as peers.

List of Telegram Messenger LLP peers – you can check for yourself.

How did this happen? We decided to ask Pavel Durov directly, using his own Telegram account.

What came of it? Not what we expected from one of the creators of “the most secure messenger.”

On June 12, 2019, we decided to write to Pavel Durov at his Telegram account, which is linked to a phone number whose legitimacy can be easily verified in several ways. Here, we’ll describe the most elegant one: the number linked to his Telegram is also linked to id1 on the VKontakte social network. The email on this account, by the way, is on the telegram.org domain. I think there’s no doubt left.

Restoring the page, we see the number is linked to id1.

Going further, we see something even more interesting — the email is on the telegram.org domain. No doubt the number is real.

The number: +44 7408 ****00 (asterisks added by moderator)

We wrote with a specific purpose: to find out how these Russian companies became Telegram peers, and whether this compromises the security of the messenger’s infrastructure. A clear and reasonable question, which could have been easily answered—unless there was something to hide. Right?

After Durov read the message (honestly, we thought he’d just ignore us, but things turned out differently), something happened that we didn’t expect. He started breaking into the account of the person who wrote to him, deleting Telegram messages with confirmation codes within seconds. Later, it turned out that conversations on this account were mysteriously deleted.

The most interesting part is that one of the access messages survived, and I’m sharing it with you without hesitation:

You have successfully logged in on desk.telegram.space via +42777. The website received your name, username and profile picture.
Browser: Chrome on Windows
IP: 149.154.167.78 (Netherlands)
You can press ‘Disconnect’ to disconnect desk.telegram.space

Some Questions:

  • Why is the state-owned provider Rostelecom directly connected to Telegram’s infrastructure?
  • Why did Pavel Durov start this circus after reading the message, if he really has nothing to hide?
  • How can we trust a messenger where the administrator himself accesses your account after an uncomfortable question, using his admin tools?

It’s up to you whether to keep using this messenger after all this. But, in my opinion, there’s one thing you should definitely do—try to get an answer from Durov.

If a state provider has access to data on Telegram’s servers, then all of Durov’s claims about the messenger’s security are lies, covering up a data leak right before your eyes. How do we know the government doesn’t actually have the keys to messages stored on the servers? After what happened, none of us can be sure.

Comment from a Habr Admin

As far as we know, the Internet consists of Autonomous Systems (AS)—these are isolated networks with border equipment, including lots of expensive hardware like routers, firewalls, and more. Any AS can connect with another to pass traffic, either directly or through so-called Internet Exchange Points (IXP). While direct connections can be chosen and controlled, IXP neighbors are often less controllable (some operators transit traffic from IXPs).

Technically, each neighbor connection in an IXP looks like a direct connection, which can create interesting side effects. For example, Habr’s AS has two direct connections to providers (upstreams) and participates in two IXPs, but here we see five peers (neighbors), even though there should only be two records (upstreams). Also, traffic follows the administratively shortest path, and you have to check at any given moment to see how it’s actually flowing. The fact that an AS peers with the logically closest transit neighbor to another AS doesn’t mean traffic will go through that transit AS—you can see this by studying the MRG scandal with Beeline. But even if traffic goes directly, it’s still external AS traffic. You should be prepared for the possibility that someone (NSA/China/Russian security services) could potentially snoop on it.

As for Telegram: To start, TG has four registered AS with different numbers. One doesn’t announce anything, the other three have neighbors, two peer at remote IXPs (one, two), and one peers at three IXPs, including two Russian ones—Data IX and Global-IX (link). It’s no surprise that Rostelecom and other Russian telecoms participate in these IXPs. If passing traffic through “enemy networks” is a security problem for TG, then it doesn’t matter whether TG peers with them directly or not.

Verdict: Overall, everything looks quite natural and there’s no direct security problem here. We can’t comment on the spy story about deleting conversations.

Leave a Reply